EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC

Title: EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4935
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.04.2010
Summary
Do you want to learn how to draw? Now you can online! Learn how to draw like a local application with Edraw Flowchart ActiveX Control that lets you quickly build basic flowcharts, organizational charts, business charts, hr diagram, work flow, programming flowchart and network diagrams.
Description
EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow vulnerability when parsing .edd file format resulting in an application crash and overwritten few memory registers which can aid the attacker to execute arbitrary code.

--------------------------------------------------------------------------------

(305c.1ee4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=027a0020 ebx=00000000 ecx=0c841000 edx=3fffff45 esi=0012f2e4 edi=41414141
eip=10083bbd esp=0012f198 ebp=01055734 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
EDImage!DllUnregisterServer+0x5594d:
10083bbd 895904 mov dword ptr [ecx+4],ebx ds:0023:0c841004=????????

--------------------------------------------------------------------------------

Vendor
EdrawSoft - http://www.edrawsoft.com
Affected Version
2.3.0.6
Tested On
Microsoft Windows XP Professional Service Pack 3 (English)
Vendor Status
N/A
PoC
edraw_edd.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/12342
[2] http://securityreason.com/wlb_show/WLB-2010040150
[3] http://www.securityfocus.com/bid/39642
[4] http://www.packetstormsecurity.org/filedesc/edraw-overflow.txt.html
[5] http://www.juniper.net/security/auto/vulnerabilities/vuln39642.html
[6] http://vfocus.net/art/20100423/7009.html
Changelog
[22.04.2010] - Initial release
[23.04.2010] - Added reference [2], [3], [4], [5] and [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk